iam-policy-validator 1.11.1__py3-none-any.whl → 1.12.0__py3-none-any.whl

{iam_policy_validator-1.11.1.dist-info → iam_policy_validator-1.12.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.11.1
+Version: 1.12.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.11.1.dist-info → iam_policy_validator-1.12.0.dist-info}/RECORD

@@ -1,8 +1,8 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=VA38cDITf2Rm6FSdOiIMZHEocdI2rmYOPTSCCAIrJ-M,374
+iam_validator/__version__.py,sha256=W6lxpjiojokhUhDmTpeymt8Z-W7jmcwUbVTvLyrpAko,374
 iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
-iam_validator/checks/action_condition_enforcement.py,sha256=6LJfO7DCgf10rtPjaZ5P4fmb5hfxJUBS5w1CrOiCu5Q,52442
+iam_validator/checks/action_condition_enforcement.py,sha256=oj3hsh3LwPneYAsQ6iBd61ToIJMr6aDIixKP-zkaqKI,55053
 iam_validator/checks/action_resource_matching.py,sha256=WiGJmCIJfx5yituMjZxpKmk-99N6nK20ueN02ddy9oM,19296
 iam_validator/checks/action_validation.py,sha256=QXfNamcstQIO41zNed1-bCmXYkXdV77owu8G2cZ09-A,2517
 iam_validator/checks/condition_key_validation.py,sha256=QJjG82wxvjdG2m-YuEzAjKRRiWaaPkf_LChdUTvm9g4,3919
@@ -93,8 +93,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.11.1.dist-info/METADATA,sha256=yEdzYv7iyjewXjI59L_Jy5la1Gl49V6rObTECdOGfgY,34456
-iam_policy_validator-1.11.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.11.1.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.11.1.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.11.1.dist-info/RECORD,,
+iam_policy_validator-1.12.0.dist-info/METADATA,sha256=oRx7SWFfzvm7WejCfUXLfGDYYAe-lnIBf74cfwigqT8,34456
+iam_policy_validator-1.12.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.12.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.12.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.12.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.11.1"
+__version__ = "1.12.0"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/action_condition_enforcement.py

@@ -125,6 +125,22 @@ Configuration in iam-validator.yaml:
                 - "iam:DeleteUser"
                 - "s3:DeleteBucket"
             description: "These dangerous actions should never be used"
+
+          # Per-requirement ignore_patterns: Skip specific requirements for certain files/actions
+          - actions:
+              - "iam:CreateRole"
+              - "iam:PutRolePolicy"
+              - "iam:AttachRolePolicy"
+            required_conditions:
+              - condition_key: "iam:PermissionsBoundary"
+                description: "Require permissions boundary for IAM operations"
+            ignore_patterns:
+              # Ignore this requirement for iam-openid modules (they enforce boundary by default)
+              - filepath_regex: ".*modules//?iam-openid.*"
+
+Note: ignore_patterns can be specified at TWO levels:
+  1. Check-level (applies to ALL requirements): Useful for broad exclusions
+  2. Requirement-level (applies to ONE requirement): Useful for fine-grained control
 """
 
 import re
@@ -132,6 +148,7 @@ from typing import TYPE_CHECKING, Any, ClassVar
 
 from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.ignore_patterns import IgnorePatternMatcher
 from iam_validator.core.models import Statement, ValidationIssue
 from iam_validator.utils.regex import compile_and_cache
 
@@ -181,7 +198,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         Returns:
             List of ValidationIssue objects found by this check
         """
-        del policy_file, kwargs  # Not used in current implementation
+        del kwargs  # Not used in current implementation
         issues = []
 
         # Get action condition requirements from config
@@ -211,16 +228,60 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             if uses_logical_operators:
                 # Policy-wide detection (all_of/any_of/none_of)
                 policy_issues = await self._check_policy_wide(policy, requirement, fetcher, config)
+                # Filter by requirement-level ignore_patterns
+                policy_issues = self._filter_requirement_issues(
+                    policy_issues, requirement.get("ignore_patterns", []), policy_file
+                )
                 issues.extend(policy_issues)
             else:
                 # Per-statement check (simple list)
                 statement_issues = await self._check_per_statement(
                     policy, requirement, fetcher, config
                 )
+                # Filter by requirement-level ignore_patterns
+                statement_issues = self._filter_requirement_issues(
+                    statement_issues, requirement.get("ignore_patterns", []), policy_file
+                )
                 issues.extend(statement_issues)
 
         return issues
 
+    def _filter_requirement_issues(
+        self,
+        issues: list[ValidationIssue],
+        ignore_patterns: list[dict[str, Any]],
+        filepath: str,
+    ) -> list[ValidationIssue]:
+        """
+        Filter issues based on requirement-level ignore patterns.
+
+        This allows each requirement within action_condition_enforcement to have its own
+        ignore patterns, enabling fine-grained control over which findings to suppress.
+
+        Args:
+            issues: List of validation issues to filter
+            ignore_patterns: List of ignore pattern dictionaries for this requirement
+            filepath: Path to the policy file being checked
+
+        Returns:
+            Filtered list of issues (issues matching ignore patterns are removed)
+
+        Example:
+            A requirement can ignore specific files while other requirements check them:
+            - actions: ["iam:CreateRole"]
+              required_conditions: [...]
+              ignore_patterns:
+                - filepath_regex: ".*modules/iam-openid.*"
+        """
+        if not ignore_patterns:
+            return issues
+
+        return [
+            issue
+            for issue in issues
+            if not IgnorePatternMatcher.should_ignore_issue(issue, filepath, ignore_patterns)
+        ]
+
     async def _check_policy_wide(
         self,
         policy: "IAMPolicy",